AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-17 21:16:50 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
d81bb019d7
linux_dsm_epyc7002/drivers/usb/core
History
Alan Stern d81bb019d7 USB: Fix invalid-free bug in port_over_current_notify() 
Syzbot and KASAN found the following invalid-free bug in
port_over_current_notify():

--------------------------------------------------------------------------
BUG: KASAN: double-free or invalid-free in port_over_current_notify
drivers/usb/core/hub.c:5192 [inline]
BUG: KASAN: double-free or invalid-free in port_event
drivers/usb/core/hub.c:5241 [inline]
BUG: KASAN: double-free or invalid-free in hub_event+0xd97/0x4140
drivers/usb/core/hub.c:5384

CPU: 1 PID: 32710 Comm: kworker/1:3 Not tainted 4.20.0-rc3+ #129
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
  kasan_report_invalid_free+0x64/0xa0 mm/kasan/report.c:336
  __kasan_slab_free+0x13a/0x150 mm/kasan/kasan.c:501
  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
  __cache_free mm/slab.c:3498 [inline]
  kfree+0xcf/0x230 mm/slab.c:3817
  port_over_current_notify drivers/usb/core/hub.c:5192 [inline]
  port_event drivers/usb/core/hub.c:5241 [inline]
  hub_event+0xd97/0x4140 drivers/usb/core/hub.c:5384
  process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153
  worker_thread+0x17f/0x1390 kernel/workqueue.c:2296
  kthread+0x35a/0x440 kernel/kthread.c:246
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
--------------------------------------------------------------------------

The problem is caused by use of a static array to store
environment-string pointers.  When the routine is called by multiple
threads concurrently, the pointers from one thread can overwrite those
from another.

The solution is to use an ordinary automatic array instead of a static
array.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: syzbot+98881958e1410ec7e53c@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-05 10:37:29 +01:00
..
buffer.c USB: Removing NULL check for pool since dma_pool_destroy is safe 2018-09-10 20:01:04 +02:00
config.c USB: Accept bulk endpoints with 1024-byte maxpacket 2018-05-03 10:16:38 -07:00
devices.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
devio.c Merge branch 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2018-10-24 11:22:39 +01:00
driver.c USB: core: remove set but not used variable 'udev' 2018-10-09 16:02:29 +02:00
endpoint.c USB: core: move existing SPDX tags to top of the file 2017-11-03 10:12:26 +01:00
file.c USB: core: move existing SPDX tags to top of the file 2017-11-03 10:12:26 +01:00
generic.c usbcore: Select UAC3 configuration for audio if present 2018-09-20 13:12:05 +02:00
hcd-pci.c usb: Don't die twice if PCI xhci host is not responding in resume 2018-09-05 14:36:53 +02:00
hcd.c usb: core: remove flags variable in __usb_hcd_giveback_urb() 2018-09-11 10:14:47 +02:00
hub.c USB: Fix invalid-free bug in port_over_current_notify() 2018-12-05 10:37:29 +01:00
hub.h usb: hub: Per-port setting to use old enumeration scheme 2018-05-31 12:48:17 +02:00
Kconfig docs-rst: fix usb cross-references 2017-04-11 14:41:29 -06:00
ledtrig-usbport.c usb: simplify usbport trigger 2018-07-05 23:21:15 +02:00
Makefile usb: core: add a wrapper for the USB PHYs on the HCD 2018-03-09 09:43:53 -08:00
message.c usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() 2018-09-05 14:36:53 +02:00
notify.c USB: core: move existing SPDX tags to top of the file 2017-11-03 10:12:26 +01:00
of.c usb: Change usb_of_get_companion_dev() place to usb/common 2018-09-10 20:40:29 +02:00
otg_whitelist.h USB: core: Remove redundant license text 2017-11-04 11:55:39 +01:00
phy.c usb: core: phy: clean up return value check about devm_of_phy_get_by_index() 2018-09-10 20:09:45 +02:00
phy.h usb: core: phy: add the SPDX-License-Identifier and include guard 2018-04-23 09:41:32 +02:00
port.c usb: export firmware port location in sysfs 2018-10-02 12:05:30 -07:00
quirks.c usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series 2018-11-26 08:09:47 +01:00
sysfs.c USB: USB 3.2 Add sysfs entries for a usb device rx_lanes and tx_lanes 2018-04-22 16:19:26 +02:00
urb.c usb: core: urb: Check SSP isoc ep comp descriptor 2018-03-20 10:13:30 +01:00
usb-acpi.c usb: clarify ACPI spec version and section number for _UPC & _PLD 2018-03-09 09:37:10 -08:00
usb.c USB: handle NULL config in usb_find_alt_setting() 2018-09-20 12:49:12 +02:00
usb.h usb: core: Add "quirks" parameter for usbcore 2018-03-20 10:16:09 +01:00